|
Web Security & Commerce: Make room on your shelves for this oneThe latest Garfinkel and Spafford book tells us why we should worry about Web security and why Web servers are so vulnerable to attack |
Garfinkel and Spafford have done it again, publishing a pile if useful information in Web Security & Commerce. This month, Pete's Wicked World provides an in-depth review of the new book. Also in Pete's Wicked World this month: The Bookstore has a pointer to useful security URLs. In The Buglist, Sun has released important patches fortalkd
andping
bugs. This month's column also introduces new coverage of break-ins. Finally, new commercial products, including Trusted Solaris 2.5.1, are discussed in The Toolbox. And remember that The Solaris Security FAQ is always available for all your Solaris security information needs. (2,700 words)
Mail this article to a friend |
Advertisements
|
|
|
|
Web servers at risk
Another reason to worry about Web server security is vulnerability to
attack. This vulnerability results from the Web's attributes:
In fact, Chapter 1 should be required reading at companies with a Web presence. It provides a clear overview of Web security. Rather than resorting to fear, uncertainty, and doubt, it describes the reality of the Web. For instance, it points out that encryption is not useful in many situations. Consider the example of a purchase via credit card over the Web. Encrypting the transaction is not necessary from the customer's point of view because of the customer's very limited liability. Most Web-based credit card thefts occur when the server that holds all the credit card information is breached. In this case the data could have been encrypted, but by the time it is stored on the Web server it is in clear text. Furthermore, encryption and protection of a credit card number is mostly a benefit to the credit card issuer. However, the issuers are working on implementing the SET protocol for just that purpose.
Chapter 1 also includes information that is important to all Web users. For instance, it discusses the liability differences between the use of credit and debit cards for purchases and the real credit card use risks. For the customer, these risks include:
For the merchant, there are even more risks:
Web Security & Commerce includes extensive discussions of all of the issues that are important to Web users and Web sites. In regards to Web users, it discusses such issues as the use of social engineering to induce users to create security holes on their systems, programs that are not safe to use as plug-ins, the power of spoofing, and browser security flaws. In the Java and JavaScript chapter, the language and its security model are discussed, as are the practical issues of setting Java security policy within Navigator and Explorer.
The book is not without its flaws; however, they are minor. For instance, on page 22 SSL is reported to listen on port 447 rather than 443. This port number is correct elsewhere in the book. There are some organizational issues as well, such as the inclusion of the denial-of-service attack section in the Java chapter. The topic might have fit better in Chapter 13: Host and Site Security. Chapter 13, especially compared to the rest of the book, is rather weak. Of course this is not unexpected given that entire books are devoted to just that topic, including the excellent Practical Unix and Internet Security by the same authors. Similarly, the legal aspects that are covered in Chapters 18 and 19 are (as the authors admit) overviews of a larger topic that demands and receives book-length coverage elsewhere. Finally, there is no mention of the role of firewalls in blocking URL access.
The major strengths of the book are its practicality and readability. Major sections on digital certificates and cryptography explain the unexplainable. The information on cryptography and U.S. Export Control Law is valuable to anyone creating a Web site designed for international access. Appendix A contains a case study of running an ISP and makes for interesting reading -- it's a cautionary tale full of wise advice for ISPs and, as it turns out, all computer and phone system managers.
Garfinkel and Spafford have done it again, making me squeeze yet another essential book onto my groaning bookcases. I don't begrudge the space though.
Title: Web Security & Commerce
Author: Simson Garfinkel and Gene Spafford
Publisher: O'Reilly & Associates
ISBN: 1565922697
List price: $32.95
Bug of the Month Club
Unfortunately, Solaris security bugs continue to appear. This month a
flaw has been discovered in talkd
on practically all
versions of Solaris. The bug allows anyone that can connect to the
talkd
daemon on the target host to execute arbitrary
programs as the root user. The details of the bug and the released
patches, are in Sun Security
Bulletin #00147.
And at long last, Sun has released patches to fix the SunOS and Solaris vulnerability to "ping of death" attacks. The information is included in Bulletin #00146.
The Bookstore
There are many personally-managed lists of security resources on the
Internet. Patrick Oonk has
put together a set of useful links that may not already be in your
bookmark list.
Break-ins
There was unpleasant news for users of ESPN SportsZone and nba.com when
they received e-mail claiming that their credit card information had
been stolen. Up to 2,397 users may have their information in
jeopardy. Check out the brief
press article for a few more details.
The Toolbox
Sun has announced the release of a more secure "Trusted Solaris". It
includes extensive auditing and security configuration features. I
hope to include details of how useful or limiting Trusted Solaris is
in a future column.
Trusted Solaris 2.5, an operating environment based on Sun's release of Solaris 2.5.1, provides multilevel security and robust host security required by commercial and government customers. It is a complimentary offering to Solaris that includes the Trusted CDE Window System, trusted file systems, trusted networking, security profiles, and trusted roles. It supports the new machines based on UltraSPARC technology, and provides interoperability with standard Unix hosts.
Differential Inc. has announced a product for securing extranets in an open, extensible manner. It claims to provide for easy encryption and authentication over the Internet via ftp and http protocols. The product includes auditing and secure remote administration. If you're looking to secure communications to remote sites, it might be worth a look.
Conferences
It's time to determine a strategy for getting your management to send
you to some high-quality, security-related conferences. In October is Usenix LISA '97 which
promises to provide its usual irresistible content and tutorials. Its
San Diego setting also allows for off-hours fun.
Other upcoming conferences include SANS '97 and Unix and the Law III.
|
Peter Galvin is chief technologist for Corporate Technologies, Inc., a systems integrator and VAR. He is also adjunct system planner for the Computer Science Department at Brown University, a member of the board of directors of the Sun User Group, and has been program chair for the past four SUG/SunWorld conferences. As a consultant and trainer, he has given talks and tutorials world-wide on the topics of system administration and security. He has written articles for Byte and Advanced Systems (SunWorld) magazines, and the Superuser newsletter. Peter is coauthor of the best-selling Operating Systems Concepts textbook. peter.galvin@sunworld.com
If you have technical problems with this magazine, contact webmaster@sunworld.com
URL: http://www.sunworld.com/swol-08-1997/swol-08-security.html
Last modified:
|
Resources
If you have technical problems with this magazine, contact webmaster@sunworld.com
URL: http://www.sunworld.com/swol-08-1997/swol-08-security.html
Last modified: